Google will no longer trust certain Symantec certificates and you will miss the green padlock there in the Google chrome browser.Owners of such certificates have to reckon with shorter and shorter validity of such certificates,they should already do a bro-SSL-check.

DigiCert, a good reseller, superiour support, nice portal to order and manage your certs, and also a support unit that functions also outside the normal 9 tot 5 scheme,and you certainly cannot say that for all of these services. So let's hope for the best.

Google and firefox will feel their pulse, where SSL-CT is concerned...let's wait and see...

Damian

Logged

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Revocation is just from that date and earlier versions of the malware with digital signatures may therefore be considered as being valid and slip through.

Therefore the whole revocation scheme can be considered to be a disaster as the update frequency at http://tl.symcb.com/tl.crltakes a fortnight, so when you computer has downloaded this yesterday, it will be another thirteen days.Until that day the computer will trust the CRL to be valid. A complete FAIL, also for AV vendors and end-users.Some things have to change...

polonus

Logged

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

This could not all be that problematic, when we did not have stolen code-signing certicates.to sign for example malware java applets etc.

This happened in the past to Opera and Adobe and verious others.

Certficates sold to non-existing entities to certify malicious executables. Or trusted certificates are being used (abused),but not for those institutions they were meant for, like Nokia and GMail. Furthermore there are MiM attacks on CA.

The PKI system is not functioning as it should and should be strengthened and also used to assist AV pointing at misused servers and abuse. When Authentication Servers have not the right update engines to sufficiountly update, we are in trouble.Then there are attacks on CA, think of the Dutch DigiNotar tragedy.

polonus

Logged

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

One vicitim of these sloppy revocation procedures and the way in which Windows does this or fails to do so,also helped by AV vendors with insecure https scanning procedures (Bitdefender etc.) not taking this into the bargain,reported by me here in "the virus and worms", and ironically for his revocation testing website:

A response from micosoft. com: They do not consider certificate-revovation, that is not functioning, a security issue, but see it as a normal Windows bug or a Thawte issue. Dutch Security Technician Bitwiper, who got this response then wrote in reply:

Quote

This is about code signing certificate revocation not working in Windows, either because of issues in Thawte's CRL file, or because of a bug in Windows.

In any case, how can this not be a _security_ bug?

What if the cybercriminals involved started signing and distributing backdoored UEFI drivers? Or seemingly legitimate Windows updates (for example on public WiFi by _replacing_ .cab files downloaded from Windows update servers via http) using this compromised Thawte certificate?

What would be the point of authenticode or digital signatures in general if errors (private key compromises or certificates sold to malicious parties) cannot be undone?

When "trusted" does no longer really means "Trusted"? We all are food for the birds....

So we need an independent Foundation delivering Identity Services, but this is not only the technical side, it is also seeing to it cybercriminals and spooks cannot manipulate (DNS, make you download compromised downloads etc.).Not an easy thing to do.

Certification Industry and Microsoft certainly created a predicament for users here or caused this situation to arise...

polonus (volunteer website security analyst and website error-hunter)

Logged

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

An error occurred during a connection to isc.sans.edu. The OCSP server suggests trying again later. Error code: SEC_ERROR_OCSP_TRY_SERVER_LATER

We see the site using OCSP stapling. In Wireshark we see a TLSv1.2 network parcel with states "Certificate, Certificate Status, Server Key Exchange, Server Hello Done". info Bitwiper.

Quote

OCSP Response responseStatus: tryLater (3)

When your CA has not solved several issues, site cannot be reached... Download http://tl.symcb.com/tl.crl and install whever you are a malware researcher of sorts or dealing with potentially insecure files...install with a right click on the file...When a file has be downloaded automattically revocation will not be due for another fortnight.... See also https://imgur.com/a/rMHPE for a Thawte CRL fail...

All is also platform dependant -> xs4all does not has aCAA ïnstalled!!!

No pre-loading: Domain is a subdomain, and can't be preloaded.HSTS header missing the "includeSubDomains" attribute.HSTS header missing the "preload" attribute.Complete Results: https://hstspreload.org/?domain=www.xs4all.nlThere should not be a kake timestamp from before the revocation date...